Introduction
Within the European Economic Area (that is, the EU member states plus Iceland, Liechtenstein and Norway; hereinafter EEA or Europe), data protection is appreciated as both a right and a freedom: a right to protection from risks emanating from processing personal data and a freedom of the processors of personal data – both fall within the scope of protection by the EU General Data Protection Regulation (GDPR) – however, within the territory and jurisdiction of the EU (Ntouvas, 2019). This means that within Europe, the GDPR permits for a free flow of personal data, also placing an obligation on all EEA member states to be bound to the protection standards set by the GDPR (Wagner, 2018). However, the application of the GDPR reaches also beyond the jurisdictional borders of the EEA in that the processing of personal data of EEA citizens and residents must abide by GDPR prescripts even when such processing occurs outside Europe1. This is evidence that the application of the GDPR focuses on the individual rights of European citizens and residents, which, in the case of data protection and information security, supersede countervailing interests like the free flow of information (Ryngaert & Taylor, 2020).
E-commerce and online transactions across the globe have very quickly become the norm. While the GDPR has been criticised for hampering international trade outside of the EU, surveys conducted in Europe show the already high importance placed on the protection of personal data – by both the private and public sectors (Yakovleva & Irion, 2020): reality is that individuals and businesses pay the price for the disregard of data privacy, which can ultimately result in identity theft, extensive revenue losses as well as the infringement of individual and societal values (Yakovleva & Irion, 2020).
Adequacy Decision and Appropriate Safeguards
The GDPR allows the transfer of personal data of EEA citizens and residents outside of Europe provided (a) the destination country has been subject to an adequacy decision and (b) appropriate safeguards to protect the said personal data have been put in place (EU IT Governance Privacy Team, 2019). Put differently, the adequacy principle is encapsulated in Article 45 of the GDPR and broadly requires that, before personal information of European citizens and residents is transferred outside of Europe, approval must be sought in advance from the European Commission to ensure that such personal data is duly protected, in the relevant foreign jurisdiction, at the same level as in Europe (Phillips, 2018). Article 46 of the GDPR prescribes that, in the absence of an adequate decision (as per Article 45), a controller [1] or processor [2] may permit a transfer of personal data to third countries (i.e. countries outside the Union), subject to appropriate safeguards [3][4].
Safeguards for international data transfers set out in the GDPR
- Distinction between “adequate” and “non-adequate” countries outside the EEA for the purpose of determining the adequacy of safeguards for the protection of personal data. To arrive at adequacy decisions, the European Commission takes into consideration factors like the rule of law, the existence legislation pertaining to criminal law, defence, public security as well as manifest respect for human rights and fundamental freedoms (EU IT Governance Privacy Team, 2019). The European Commission publishes the complete list of adequate countries on its website.
- Binding Corporate Rules (BCRs) allow for company groups (or groups of companies) with group companies outside the EEA to set out their own global policy pertaining to the transfer of personal data, which would apply within such group. Such BCRs, however, are subject to prescribed content requirements, an approval process coordinated by one Data Protection Authority (DPA) in Europe and due compliance once approval is obtained (for example, data protection audits, prescribed training for personnel with access to personal data). It is important to note that the BCRs cover only the transfer of personal data intra-group (and, as such, excludes third parties). Company groups most likely to benefit from BCRs are those with a complicated internal network of processing activities.
Also, the following additional benefits are derived from large corporate groups with global presence [5]:
Gold standard: BCRs based on GDPR are perceived as the “gold standard” for data protection compliance. The commercial and reputation values also lie in the fact that not many companies world-wide have these,
Regulator approved: tied to the above, BCRs are vetted and audited via GDPR certification mechanisms,
Compliance effectiveness: BCRs are binding on all group companies “by design” (unlike standard model clauses, which are bilateral instruments between all group companies involved),
Agility & efficiency: approved BCRs imply the introduction of a company (and group) wide data privacy governance and policy framework that are easier transferable in the event of M&As, divestments and de-mergers.
- Standard Contractual Clauses (SCCs): these are drafted by the European Commission and can also be drafted by the local Data Protection Authority (DPA). Required here is the signature of the company exporting the personal data (data exporter) and the company receiving the same (data importer) – provided the data exporter is able to comply with the Standard Model Clauses in the agreement. These clauses incorporate contractual duties on the data exporter and the data importer [6]. SCCs are currently the most utilised method by commercial entities, for lawful cross-border transfers of personal data (Bradford, Aboy, & Liddell, 2021). SMEs favour this method too and it is imperative that they keep abreast of any amendments subsequently enforced by the European Commission: the data exporter is more likely to be targeted for regulatory scrutiny and should, as such, take precautions such as remaining knowledgable of the jurisdictions, where to personal data was transferred in the past, regularly reviewing the international data transfer mechanism (e.g. BCRs) to ascertain if these are still appropriate for the business, and having mechanisms in place to ensure compliance on the part of the data importer [7]. As at the publication of this article, the European Commission published the final version of the new SCCs on 4 June 2021 (Blaney, Shankar, & McMullon, 2021).
- Approved certification mechanism: here, compliance with GDPR is shown via certification, data protection seals and marks, plus binding and enforceable commitments.
- Approved Code of Conduct: it includes provisions on the international transfer of personal data together with binding and enforceable commitments on the application of the Code.
- Ad-hoc contracts: these must be approved by a competent Supervisory Authority.
- Derogations: where there are neither adequacy decisions nor appropriate safeguards, the GDPR permits the transfer of personal data – provided the data subject has been informed of the possible risks pertaining to the imminent transfer and has expressly consented thereto. Data transfer is also allowed where the transfer is necessary for the conclusion or performance of an agreement with or in the interest of the data subject or to protect vital interests of the data subject. Alternatively, also for the ascertainment, processing or defence of legal claims.
It is important to keep in mind that the above appropriate safeguards (as per Article 46 GDPR), collectively and individually, constitute multi-tiered alternatives for data protection, duly relying on the law, technology and organisational commitments (Bradford, Aboy, & Liddell, 2021).
Recommendation 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (version 2.0)
On 18 June 2021, the European Data Protection Board (edpb) adopted an updated version of its recommendation 01/2020 (after public consultation), which it had adopted on 10 November 2020 for public consultation [9]. The central focus of this edpb recommendation relates to the principle of accountability, which is deemed as “necessary to ensure the effective application of the level of protection conferred by the GDPR also applies to data transfers to third countries since they are a form of data processing in themselves” (para. 1.4 of the edpb recommendation). Therefore, controllers and processors are obliged to remain accountable, at all times, when processing and transferring the personal data impacted by the GDPR (para. 1.5 of the edpb recommendation).
edpb Roadmap to Apply the Principle of Accountability to Data Transfers in Practice
The roadmap devised by the edpb serves to guide controllers and processors through the processing and international transfer of personal data that falls within the scope of the GDPR.
At the same time, the steps contained in this roadmap also illustrates the centrality of the principle of accountability as well as the vulnerability of the said personal data in the context of international transfer that has grown to become an integral part of our lives:
1. Know your transfers
This step requires controllers and processors to be intimately familiar with all transfers and includes appreciating the complexity. When duly recording and mapping all transfers, due consideration must be paid to the entire personal data processing value chain, the GDPR principle of data minimisation and the wide definition of the notion of “transfer” applicable especially to international cloud infrastructures [10].
2. Identifying the transfer tools relied upon
This next step requires of controllers and processors to select the transfer tools, as listed in Chapter V of the GDPR [11]. The edpb recommendation, in this part, sets out practical guidelines pertaining to adequacy decisions, Article 46 transfer tools (being the appropriate safeguards) and derogations [12].
3. Assessment whether the Article 46 transfer tool selected is effective considering all circumstances of the transfer
The controllers and processors are accountable to ensure that the selected Article 46 tool is, in fact, effective in duly safeguarding the level of protection guaranteed by the GDPR. The requisite assessment includes that of the third country where the said personal data is intended to be transferred to and, more specifically, the laws and practices of such country, as relevant to the said transfer, as applicable to human rights and other rights and freedoms guaranteed in Europe. Also, matters such as the purpose of the sought transfer, the format of the said data and the types of entities involved will need to be considered. The assessment process to be undertaken by controllers and processors is rigorous and the documentation hereof possibly subject to scrutiny by the relevant supervisory and / or judicial authorities [13].
4. Adoption of supplementary measures
This step requires of controllers and processors to visit the outcome of the assessment conducted in step 3 above. If the outcome of the assessment is that the selected GDPR transfer tool is not effective, then it may be necessary to ascertain if supplementary measures [14] exist. Just like with the transfer tools, controllers and processors are required to assess which of the contractual, technical or organisational supplementary measures are most effective for the different third countries. This assessment also requires due consideration of factors like the format of the data, the length and complexity of the data processing workflow as well as the possibility that the said data could be subject to onward transfer [15]. Examples of supplementary measures (along with use cases and examples) are set out in Annex 2 of this edpb recommendation, and constitute technical measures, additional contractual measures and organisational measures.
5. Procedural steps where effective supplementary measures have been identified
Subject to effectiveness, the selected supplementary measures to be implemented by the controllers and processors have been listed as follows:
-
- Standard protection clauses (SCCs);
- Binding corporate rules (BCRs); and
- Ad hoc contractual clauses [16].
6. Ongoing re-evaluation
Showing accountability also means that controllers and processors must, on a regular basis and when appropriate, monitor all relevant developments in the third countries, where the transfer of relevant personal data has occurred. This step also requires the introduction and maintenance of reliable mechanisms, which ensure the immediate suspension or termination of transfers where there has been a breach of Article 46 GDPR tools or where the implemented supplementary measures are no effective in the said third countries [17].
Closing Remarks
The regulation of international data transfer by the GDPR is multi-layered and complex, especially in the absence of an “adequacy decision” by the European Commission: in terms of the latest provisions pertaining to SCCs, for example, affected controllers and processors are required to adopt SCCs in relation to their customers, affiliates and suppliers by December 2022 (Blaney, Shankar, & McMullon, 2021). The GDPR along with binding judgements by the Court of Justice of the European Union (CJEU) and the publications by the edpb will continue to be tested, streamlined and, in some cases even invalidated (Ktenas, 2021), leaving companies vulnerable. For the controllers and processors of the personal data of EU citizens and residents this means acquiring reliable advisory services and keeping a close ear to the ground for the many new developments, in this regard.
Bibliography
Blaney, R. P., Shankar, V. V., & McMullon, K. (2021, June 7). Navigating the New Standard Contractual Clauses for International Data Transfers under the GDPR. National Law Review, XI(158).
Bradford, L., Aboy, M., & Liddell, K. (2021). Standard contractual clauses for cross-border transfers of health data after Schrems II. Journal of Law and the Biosciences, 8(1), pp. 1-36.
IT Governance Privacy Team. (2019). EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide (Vol. 3). Cambridgeshire: IT Governance Ltd.
Ktenas, N. (2021). European Union: International Data Transfers Under The GDPR: From Schrems To The New Standard Contractual Clauses And The EDPB Recommendations. mondaq.
Ntouvas, I. (2019). Exporting personal data to EU-based international organizations under the GDPR. International Data Privacy Law, 9(4), pp. 272-284.
Phillips, M. (2018). International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR). Human Genetics, 137, pp. 575-582.
Ryngaert, C., & Taylor, M. (2020). The GDPR as Global Data Protection Regulation? AJIL Unbound, 114, 5-9. doi:10.1017/aju.2019.80
Wagner, J. (2018). The transfer of personal data to third countries under the GDPR: when does a recipient country provide an adequate level of protection? International Data Privacy Law, 8(4), pp. 318-337.
Yakovleva, S., & Irion, K. (2020). Pitching trade against privacy: reconciling EU governance of personal data flows with external trade. International Data Privacy Law, 10(3), pp. 201-221.
Notes
[1] A data controller determines the purpose for which and the means by which personal data is processed. So, if a company/ organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data in such a company / an organisation do so to fulfil its tasks as data controller.
[2] The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
[3] https://www.dataprotection.ie/en/organisations/international-transfers/transfers-personal-data-third-countries-or-international-organisations
[4] https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-the-future-of-international-data-transfer.html
[5] https://www.bakermckenzie.com/-/media/files/insight/publications/2020/01/binding-corporate-rules.pdf
[6] https://www.dataprotection.ie/en/organisations/international-transfers/transfers-personal-data-third-countries-or-international-organisations
[7] https://www.bakermckenzie.com/-/media/files/insight/publications/2019/12/sccs-are-under-scrutiny.pdf
[8] https://bg.schindhelm.com/en/news-jusful/news/new-eu-data-protection-law-data-transfer-to-third-countries
[9] https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
[10] Paras. 8 – 13
[11] Chapter V (Arts. 44 – 50) regulates the transfer of personal data to third countries or international organisations and, more specifically, outlines the requirements pertaining to adequacy decisions (Art. 45), appropriate safeguards (Art. 46), binding corporate rules (Art. 47), transfers or disclosures not authorized by Union law (Art. 48), derogations for specific situations (Art. 49) and international cooperation for the protection of personal data (Art. 50).
[12] Paras. 14 – 27
[13] Paras. 28 – 49
[14] Supplementary measures are supplementary to the safeguards entailed in Article 46 and to any other tools (for example, technical security measures) that are provided for in the GDPR.
[15] Paras. 50 – 58
[16] Paras. 59 – 66
[17] Paras. 67 – 68
